[BIND] RE: KSK Rollover

Evan Hunt each at isc.org
Fri Sep 7 17:50:20 UTC 2018

On Fri, Sep 07, 2018 at 06:15:59PM +0200, Mark Elkins wrote:
> I kinda also wonder why the command simply doesn't output to stdout by
> default. The *only* reason I've ever run the command "rndc secroots" is
> to look at the output, that is, checking for the correct DNSKEY
> root-anchors - which I then need to use "cat" to see... if the file is
> correctly created... and if I remember where to look for it.
> If I wanted the output in a file, I can always redirect stdout.
> Sending output to stdout allows me to easily "filter" the output as well
> with other tools.
> Perhaps Evan can comment?

For a long time, the text that could be sent back over the rndc channel
from named was limited to a smallish fixed-size buffer -- I think it was
2K or something. If an rndc command produced output, but we couldn't be
sure the output would be smaller than that buffer, we'd write it to a file

At some point -- in 9.11, I think? -- it occurred to us that the size
limitation wasn't a law of physics, and we could get rid of it.  So now
there are several rndc commands that print useful amounts of text, but
since "secroots" already existed before that change, we left its default
behavior the same as it had been before, and added a "-" option to return
text over the command channel.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list